diff options
| -rw-r--r-- | app/controllers/autocomplete_controller.rb | 2 | ||||
| -rw-r--r-- | changelogs/unreleased/dz-restrict-autocomplete.yml | 4 | ||||
| -rw-r--r-- | spec/controllers/autocomplete_controller_spec.rb | 30 |
3 files changed, 25 insertions, 11 deletions
diff --git a/app/controllers/autocomplete_controller.rb b/app/controllers/autocomplete_controller.rb index d7a45bacd35..a71fbb91f42 100644 --- a/app/controllers/autocomplete_controller.rb +++ b/app/controllers/autocomplete_controller.rb @@ -22,7 +22,7 @@ class AutocompleteController < ApplicationController @users = [current_user, *@users] end - if params[:author_id].present? + if params[:author_id].present? && current_user author = User.find_by_id(params[:author_id]) @users = [author, *@users].uniq if author end diff --git a/changelogs/unreleased/dz-restrict-autocomplete.yml b/changelogs/unreleased/dz-restrict-autocomplete.yml new file mode 100644 index 00000000000..65c944653f8 --- /dev/null +++ b/changelogs/unreleased/dz-restrict-autocomplete.yml @@ -0,0 +1,4 @@ +--- +title: Allow users autocomplete by author_id only for authenticated users +merge_request: +author: diff --git a/spec/controllers/autocomplete_controller_spec.rb b/spec/controllers/autocomplete_controller_spec.rb index 7d2f6dd9d0a..14b105c69e5 100644 --- a/spec/controllers/autocomplete_controller_spec.rb +++ b/spec/controllers/autocomplete_controller_spec.rb @@ -156,22 +156,32 @@ describe AutocompleteController do end context 'author of issuable included' do - before do - sign_in(user) - end - let(:body) { JSON.parse(response.body) } - it 'includes the author' do - get(:users, author_id: non_member.id) + context 'authenticated' do + before do + sign_in(user) + end + + it 'includes the author' do + get(:users, author_id: non_member.id) + + expect(body.first["username"]).to eq non_member.username + end + + it 'rejects non existent user ids' do + get(:users, author_id: 99999) - expect(body.first["username"]).to eq non_member.username + expect(body.collect { |u| u['id'] }).not_to include(99999) + end end - it 'rejects non existent user ids' do - get(:users, author_id: 99999) + context 'without authenticating' do + it 'returns empty result' do + get(:users, author_id: non_member.id) - expect(body.collect { |u| u['id'] }).not_to include(99999) + expect(body).to be_empty + end end end |